METHODIST UNIVERSITY COLLEGE GHANA

Design and Implementation of Appropriate Vlan to Assist In the

Elimination of Local Area
Network Flooding, Looping and gratuitous Collision Domain for
efficient routing and packet flow. Case study of AAL COMPANY
LTD.

Isaac Lamptey----------------BIT/EP/08/09/1216
Samuel Otu Afotey---------BIT/EP/08/09/ 1228
Theophilus Nii Armah------BIT/EP/08/09/1191

June 2012
Submitted in partial fulfillment of the requirements for
The degree of Bsc in Information Technology

DECLARATION

This is to declare, the research work underlying this dissertation has been carried out by the
under mentioned students under the supervision of the mentioned supervisor. Both the students
and the supervisor certifies that the work documented in this dissertation is the output of the
research connected by the students as part of their final year project work in partial fulfillments
of the Bachelor of science in information technology.

STUDENT'S SUPERVISOR
SAMUEL OTU AFOTEY

MR ISAAC BANSAH

ISAAC LAMPTEY

THEOPHILUS NII ARMAH

I. ABSTRACT
Techniques and issues regarding the development of appropriate virtual local area network
(Vlan) aredetailed. The step in design and the protocols used to efficiently support the
system. The objectives of this design is to outline the various effective planning stages and
target of deploying any network devices and its Vlan support benefit before it's installed
This will also give most business and organization the competitive advantages of technology
A careful study has been made on how business wants to effectively manage space time and
power (energy) its advantages and limitations. This will be followed by a brief review of
architecture Vlan network which is made up of a router, switch (layer3, layer2, layer 1),the aim
of this the aim of this project is to develop efficient and effective VLAN which will do away
with ambiguous cost of network implementation cost. This project will involve three phases the
development of detailed VLAN diagrams, the development of method of device and
configuration documentation (physical link and logical link) and the development of device
running configuration documentation. This will be demonstrated with three laptops each
connecting to a separate VLAN, resource will be available on a desktop computer as a server
for the laptop to access.
3
II. ACKNOWLEDGMENT

We would like to thank: our supervisor Mr Isaac Bansah, for his help in the formative stages of
this project and for teaching us an alternative way of thinking, for hisearly help regarding the
design of the VLAN and for teaching us in an innovative way. Duringour Bsc program (this
applies also to all lectures who taught us); the Head of Department Drofori for hissupport and
inspiration. We are also grateful to our Heavenly Father who has supported us in all ways
throughout our degreeProgram. We also thankall participating panel members for every effort
and time provisioned for us in numerous ways to aid our program, friends and colleagues for
their understanding and support when we most needed.

3. SCOPE AND DEFINITION

In a traditional LAN, workstations are connected to each other by means of a hub or
a repeater. These devices propagate any incoming data throughout the network.
However, if two people attempt to send information at the same time, a collision will
occur and all the transmitted data will be lost. Once the collision has occurred, it will
continue to be propagated throughout the
network by hubs and repeaters. The original information will therefore need to be
resent after waiting for the collision to be resolved, thereby incurring a significant
wastage of time and resources. To prevent collisions from traveling through all the
workstations in the network, a bridge or a switch can be used. These devices will not
forward collisions, but will allow broadcasts (to every user in the network) and
multicasts (to a pre-specified group of users) to pass through. A router may be used
to prevent broadcasts and multicasts from traveling through the network. The
workstations, hubs, and repeaters together form a LAN segment. A LAN segment is
also known as a collision domain since collisions remain within the segment. The
area within which broadcasts and multicasts are confined is called a broadcast
domain or LAN. Thus a LAN can consist of one or more LAN segments. Defining
broadcast and collision domains in a LAN depends on how the

5
TABLE OF CONTENTS

PAGES

I.Abstract

0.Acknowledgement

III.Scope and Definition

LIST OF FIGURES
LIST OF TABLE

CHAPTER ONE
1.1 General Overview 1.2 Plan of project
1.3 Aims and objectives 1.4 Client

INTRODUCTION 8
9
15
19
CHAPTER TWO
2.1 TCP/IP Overview

LITERATURE REVIEW20
21 2.2 TCP/IP

Protocol Suites
2.3 SNMP and MIB

24 2.4

Network Management Overview

2.5 OSI Management Functions
Management
2.5.2 Configuration Management
2.5.3 Performance Management

25 2.5.1 Fault

2.5.3 Accounting Management

2.5.4 Security Management

2.5 Client Server Paradigm

25

2.6 Routing and Routing Protocols

26 2.7

Unicast Routing
2.8 Multicast Routing
2.8.1 Routing Table Updates
2.8.2 LSP
2.9 Overview of VLANS

28
31 2.9.1

Benefits of VLANS

CHAPTER THREE
REQUIREMENTS ANALYSIS AND DESIGN
3.1 Background and research Context

33
34 3.2

Review of Existing Infrastructure

3.3 Methodology

411 3.4

Requirements
3.5 Requirement Analysis and Specification
3.6 VLAN Design
3.7 Design Testing
3.8 Testing Problems

CHAPTER FOUR IMPLEMENTATION TESTING AND EVALUATION 4.1 Installation

and Configuration of VLAN
4.2 Demonstrating Prototype Functionality with Simulators

4.3 Results
4.4 Effects of Load on Throughput and Latency
4.5 Bandwidth versus Throughput

CHAPTER FIVE CONCLUSION RECOMMENDATION

5.1 Conclusion
36 5.2 Recommendation
5.3 Suggested Future Work
37 5.4 Project Difficulties

BIBLIOGRAPHY
APPENDICES 38
APPENDIX 1 Questionnaire
APPENDIX 2 Data Dictionary
APPENDIX 3 Table Creation Configuration Script
APPENDIX 4 Interface Configuration Script
APPENDIX 5 Default Route
APPENDIX 6 Port Groupings
APPENDIX 7 Subnet Gateways
IV. LIST OF FIGURES
Figure 4.4.1 Diagram of a well structure VLAN
Figure 4.4.2 Internet Distribution on a VLAN
Figure 5.1.1 Structured Systems Approach OF A VLAN
Figure 5.2.1 Research Finding-businesses & organization
Figure 5.2.2 Research Findings- organization
Figure 6.1.1 System Architecture

Figure 6.3.1 Configuration Structure

8
APPENDIX 1 QUESTIONNAIRE
APPENDIX 2 DATA DICTIONNARY
APPENDIX 3 TABLE CREATION CONFIGURATION SCRIPT
APPENDIX 4 INTERFACE CONFIGURATIION SCRIPT
APPENDIX 5 DEFAULT ROUTE
APPENDIX 6 PORT GROUPINGS
APPENDIX 7 SUBNET GATEWAYS
IV. LIST OF FIGURES

Figure 4.4.1 Diagram of a well structure

VLAN Figure 4.4.2 Internet Distribution on
a VLAN
Figure 5.1.1 Structured Systems Approach OF A
VLAN

Figure

5.2.1

Research

Finding-

businesses&organization Figure 5.2.2 Research

Findings- organization
Figure 6.1.1 System Architecture
Figure 6.3.1 Configuration Structure

1.0 INTRODUCTION
A VLAN is a virtual LAN. In technical terms, a VLAN is a broadcast domain created by
switches, normally it is router creating that broadcast domain with VLANs, A switch can
create the broadcast domain. A virtual local area network, virtual LAN or VLAN, is a group of
hosts with a common set of requirements that communicate as if they were attached to the
same broadcast domain, regardless of their physical location. A VLAN has the same attributes
as a physical local area network (LAN), but it allows for end stations to be grouped together
even if they are not located on the same network switch. LAN membership can be configured
through software instead of physically relocating devices or connections.
To physically replicate the functions of a VLAN, it would be necessary to install a separate,
parallel collection of network cables and equipment which are kept separate from the primary
network. However unlike a physically separate network, VLANs must share bandwidth; two
separate one-gigabit VLANs using a single one-gigabit interconnection can suffer both
reduced throughput and congestion. It virtualizes VLAN behaviors (configuring switch ports,
tagging frames when entering.

1.1 GENERAL OVERVIEW

The requirements of information security within an organization have undergone two major
changes in the last decades. Before the widespread use of data processing equipment, the
security of information felt to be valuable to an organization was provided primarily by
physical and administrative means. An example of the former is the use of rugged filing
cabinets with a combination lock for storing sensitive documents. An example of the latter is
personnel screening procedures used during the hiring process.
With the introduction of the computer, the need for automated tools for protecting files and
other information stored on the computer became evident. This is especially the case for a shred
system, such as a time-sharing system, and the need even more acute for systems that can be

accessed over a public telephone network, data network, or the internet. The genetic name for
the collection of tools designed to protect data and to thwart hackers is computer security.

10

The second major change that affected security is the introduction of distributed systems and
the use of networks and communications facilities for carrying data between terminal user and
computer and between computer and computer. Networks security measures are needed to
protect data during their transmission. In fact, the term network security is somewhat
misleading, because virtually all business, government, and academic organizations
interconnect their data processing equipment with a collection of interconnected networks. Such
a collection is often referred to as an internet, and the term internet security is used.
There are no clear boundaries between these two forms of security. For example, one of the
most publicized types of attack on information systems is the computer virus. A virus may be
introduced into a system physically when it arrives on a diskette or optical disk and is
subsequently loaded onto a computer. Viruses may also arrive over an internet. In either case,
once the virus is resident on a computer system, internal computer security tools are needed to
detect and recover from the virus.
This book focuses on internet security, which consists of measures to deter, prevent, detect, and
correct security violations that involve the transmission of information. That is a broad
statement that covers a host of possibilities. To give you a feel for the areas covered in this
book, consider the following examples of security violations:
1. User A transmits a file to user B. the file contains sensitive information (e.g., payroll
records) that is to be protected from disclosure. User C, who is not authorized to read the
file, is able to monitor the transmission and capture a copy of the file during its

transmission.
2. A network manager, D, transmits a message to a computer, E, under its management. The
message instructs computer E to update an authorization file to include the identities of a
number of new users who are to be given access to that computer. User F intercepts the
message, alters its contents to add or delete entries and then forwards the message to E,
which accepts the message as coming from manager D and updates its authorization file
accordingly.
3. Rather than intercepts a message, user F constructs its own message with the
desired entries and transmits that message to E as if it had come from manager
D and updates its authorization file from manager D and updates its
authorization file accordingly.
11

4. An employee is fired without warning. The personnel manager sends a message to a

server system to invalidate the employee's account. When the invalidation is
accomplished, the server is to post a notice to the employee's file as confirmation of the
action. The employee is able to intercept the message and delay it long enough to make a
final access to the server to retrieve sensitive information. The message is then
forwarded, the action taken, and the confirmation posted. The employee's action may go
unnoticed for some considerable time.
5. A message is sent from a customer to a stockbroker with instructions for various
transactions. Subsequently, the investments lose value and the customer denies sending
the message.
Although this list by no means exhausts the possible types of security violations, it illustrates
the range of concerns of network security.
Internetwork security is both fascinating and complex. Some of the reasons follow:

1. Security involving communications and networks is not as simple as it might first

appear to the novice. The requirement seems to be straightforward; indeed, most of the
requirements for security services can be given self-explanatory one-word labels:
confidentiality, authentication, non repudiation, integrity. But the mechanism s used to
meet those requirements can be quite complex, and understanding them may involve
rather subtle reasoning.
2. In developing a particular security mechanism or algorithm, one must always consider
potential attacks on those security features. in many cases, successful attacks are
designed by looking at the problem in a completely different way, therefore exploiting
an unexpected weakness in the mechanism.
3. Because of point 2, the procedures used to provide particular services are often
counterintuitive: it is not obvious from the statement of a particular requirement that
such elaborate measures are needed. it is only when the various countermeasures are
considered that the measures used make sense.
0. Having designed various security mechanisms, it is necessary to decide where to use
them. This is true both in terms of physical placement (example at what points in a
network are certain security mechanisms needed) and in a logical sense [e.g., at what
12

layer or layers of an architecture such TCP/IP (Transmission Control

Protocol/Internet Protocol) should mechanisms be placed]
5. Security mechanisms usually involve more than a particular algorithm or
protocol. They usually also require that participants be in possession of some
secret information (e.g., an encryption key), which raises questions about the
creation, distribution, and protection of that secret information. There is also a
reliance on communications protocols whose behavior may complicate the task
of developing the security mechanism. For example, if the proper functioning
of the security mechanism requires setting time limits on the transit time of
message from sender to receiver, then any
'

protocol or network that introduces variable, unpredictable delays may render

such time limits meaningless.
Thus, there is much to consider. This chapter provides a general overview of the
subject matter that structures the material in the remainder of the book. We begin with

a general discussion of network security services and mechanisms and of the types of
attacks they are designed for. Then we develop a general overall model within which
the security services and mechanisms can be viewed.

1.1.0 SECURITY TRENDS

In 1994, the Internet Architecture Board (IAB) issued a report entitled "Security in
the Internet Architecture" (RFC 1636). This report stated the general consensus that
the Internet needs more and better security, and it identified key areas for security
mechanisms. Among these were the need to secure the network infrastructure form
authorized monitoring and control of network traffic and the need to secure end-userto end-user traffic using authentication and encryption mechanism. These concerns
are fully justified. As confirmation, consider the trends reported by the Computer
Emergency Response Team (CERT) Coordination Center (CERT/CC).
Figure 1 shows the trend in Internet related vulnerabilities reported to CERT over
a 10-year period these include security weakness in the operating systems of
attached computers (e.g.,
13

`1
Windows, Linux)as well as vulnerabilities in Internet routers and other network devices. Figure
1.1b shows the number of security-related incidents reported to CERT these include denial of
service attacks; IP spoofing, in which intruders create packets with false IP addresses and
exploit applications that use authentication based on IP; various forms of eavesdropping and
packet sniffing, in which attackers read transmitted information, including logon information
and database contents. Over time, the attacks on the Internet and Internet-attached systems have
grown more sophiscated while the amount of skill and knowledge required to amount an attack
has declined (Figure 1.2). Attacks have become more automated and can cause greater amounts
of damage.
Figure 1.1 CERT Statistics
This increase in attacks coincides with an increased use of the Internet and with increases in the
complexity of protocols, applications, and the Internet itself. Critical infrastructures

increasingly rely on the Internet for operations. Individual users rely on the security of the
Internet, email, the Web, and Web-based applications to a greater extent than ever. Thus, a wide
range of
technologies and tools re needed to counter the growing threat. At a basic level. At a basic,
cryptographic algorithms for confidentiality and authentication assume greater importance.
As well, designers need to focus on Internet-base protocols and the vulnerabilities of attached
operating systems and applications. This book surveys all of these technical areas.

1.1.1 THE OSI SECURITY ARCHITECTURE

14

OSI Model
Data

::nom,:=;
wY

Layer

..t

Netwrk
r:..Packets

Path oetermtnslon
and $P (Logical Addressing)

To assess effectively the security needs of an organization and to evaluate and choose various
security products and policies, the manager responsible for security needs some systematic way
of defining the requirements of security and characterizing the approaches to satisfying those
requirements. This is difficult enough in a centralized data processing environment; with the
use of local area and wide area networks, the problems are compounded.
15

1.1.2 Plan of Project

This thesis documents the development of a VLAN has been structured to include discussion of
the following areas.

1.1.3. AIMS AND OBJECTIVES

nUnderstand the AAL Company limited Network design
nUnderstand and implement VLAN technologies in a company network
nPlan, configure, and verify trunking, Private VLANs, link aggregation with Etherchannel
nUnderstand Spanning Tree protocols
nConfigure, verify and troubleshoot Basic, Rapid and Multiple Spanning Tree
nConfigure Inter-VLAN routing and DHCP in a Multilayer Switched environment
nUnderstand how to deploy CEF-based Multilayer Switching
nUnderstand and impermanent High Availability
nUnderstand, configure and verify First Hop redundancy protocols
Understand, configure, and verify security in the Campus infrastructure
Monitor, analyze, and troubleshoot switch performance, connectivity and security issues
Plan for wireless, voice and video application in the company network
nUnderstand Quos
Prepare the company infrastructure to support wireless, voice and video

16

omain)
Figure 1: Physical view of a VLAN.

VLAN's allow a network manager to logically segment a LAN into different broadcast domains
(see Figure2). Since this is a logical segmentation and not a physical one, workstations do not
have to be physically located together. Users on different floors of the same building, or even in
different buildings can now belong to the same LAN.

17
Physical View

Logical View
Figure 2: Physical and logical view of a VLAN.

VLAN's also allow broadcast domains to be defined without using routers. Bridging software is
used instead to define which workstations are to be included in the broadcast domain. Routers
would only have to be used to communicate between two VLAN's
18

3.1 VLAN BENEFITS

Increasedp erformance
Improved manageability

Network tuning and simplification of software

configurations I Physical topology independence
Increased security options
INCREASED PERFORMANCE
Switched networks by nature will increase performance over shared media devices in use

today, primarily by reducing the size of collision domains. Grouping users into
logical networks will also increase performance by limiting broadcast traffic to
users performing similar functions or within individual workgroups. Additionally,
less traffic will need to be routed, and the latency
'

added by routers will be reduced.

IMPROVED MANAGEABILITY

VLANs provide an easy, flexible, less costly way to modify logical groups in
changing environments. VLANs make large networks more manageable by
allowing centralized configuration of devices located in physically diverse
locations.

NETWORK TUNING AND SIMPLIFICATION OF SOFTWARE

CONFIGURATIONS
VLANs will allow LAN administrators to "fine tune" their networks by logically
grouping users. Software configurations can be made uniform across machines with
the consolidation of a department's resources into a single subnet. IP addresses,
subnet masks, and local network protocols will be more consistent across the entire
VLAN. Fewer implementations of local server resources such as BOOTP and DHCP
will be needed in this environment. These services can be
more effectively deployed when they can span buildings within a VLAN.
19
PHYSICAL TOPOLOGY INDEPENDENCE

VLANs provide independence from the physical topology of the network by allowing
physically diverse workgroups to be logically connected within a single broadcast domain. If
the physical infrastructure is already in place, it now becomes a simple matter to add ports in
new locations to existing VLANs if a department expands or relocates. These assignments can
take place in advance of the move, and it is then a simple matter to move devices with their
existing configurations from one location to another. The old ports can then be
"decommissioned" for future use, or reused by the department for new users on the VLAN.
INCREASED SECURITY OPTIONS

VLANs have the ability to provide additional security not available in a shared media network
environment. By nature, a switched network delivers frames only to the intended recipients, and

broadcast frames only to other members of the VLAN. This allows the network administrator to
segment users requiring access to sensitive information into separate VLANs from the rest of
the general user community regardless of physical location. In addition, monitoring of a port
with a traffic analyzer will only view the traffic associated with that particular port, making
discreet monitoring of network traffic more difficult.
It should be noted that the enhanced security that is mentioned above is not to be considered
an absolute safeguard against security infringements. What this provides is additional
safeguards against "casual" but unwelcome attempts to view network traffic.

CLIENT: AAL SYSTEMS LIMITED

20

CHAPTER TWO
LITERATURE REVIEW
A literature review is a body of text that aims to review the critical points of current
knowledge including substantive findings as well as theoretical and methodological
contributions to a particular topic. Literature reviews are secondary source, and as such, do
not report any new or original experimental work.
Most often associated with academic-oriented literature, such as a thesis, a literature review

usually precedes a research proposal and results section. Its ultimate goal is to bring the
reader up to date with current literature on a topic and forms the basis for another goal, such
as future research that may be needed in the area.
A well-structured literature review is characterized by a logical flow of ideas; current and
relevant references with consistent, appropriate referencing style; proper use of terminology and
an unbiased and comprehensive view of the previous research on the topic.
Network management refers to the activities, methods, procedures, and tools that pertain to
the operation administration, maintenance, and provisioning of networked systems.111
Operation deals with keeping the network (and the services that the network provides) up and
running smoothly. It includes monitoring the network to spot problems as soon as possible,
ideally before users are affected.
Administration deals with keeping track of resources in the network and how they are assigned.
It includes all the "housekeeping" that is necessary to keep the network under control.
Maintenance is concerned with performing repairs and upgradesfor example, when
equipment must be replaced, when a router needs a patch for an operating system image, when
a new switch is added to a network. Maintenance also involves corrective and preventive
measures to make the managed network run "better", such as adjusting device configuration
parameters.

LI
21

Provisioning is concerned with configuring resources in the network to support a given

service. For example, this might include setting Performance management (PM) includes
activities that ensure that goals are consistently being met in an effective and efficient
manner. Performance management can focus on the performance of an organization, a
department, employee, or even the processes to build a product or service, as well as many
other.
Performance management does not alone guarantee improvement. Improvement comes
through process redesign, innovation, and other forms of continuous improvement.
Performance

Management highlights how a range of activities needs to come together in a conscious,

single process of reflection.
There are various features of the organization (including resources, structure, systems, culture)
and external factors (for example public engagement, partnerships) that need to be developed
to create improvement.
2.1 TCP/IP Network overview
SharePoint is Document management software that runs over TCP/IP network
TCP/IP
Transfer Control Protocol/internet Protocol's (TCP/IP) discover according to Held (1995) was
an initiative of the Department of Defense of the United States of America through a research
project in an attempt to bring together different network providers to form a network of
networks. This is now known as the internet. It initially delivered basic services like the file
transfer. Electronic mail and remote logon across a large network of client and server systems.
At this early stage it had unnoticed problems and lapses due to the automatic recovery systems
it employs.

22

Presentation
Session
Transport
Network

Physical
Application
Transport
Internet
Network Interface
HTTP

FTP

Sockets

TCP

IUDP
OSI and TCP/IP model Source:
Understanding TCP/IP

The following are descriptions for the layer that from the OSI and TCP/IP model.

Network Interface
Reference the model above, the network is the equivalent of the physical and data link in the
OSI model

23

Internet Layer
The internet layer, for that matter the network layer in the OSI model employs the use of a
group of protocols for packet delivery as listed and described below:

Internet Protocol (IP): The IP protocol ensures that packets are addressed and routed to
its correct destination between networks
Address Resolution Protocol (ARP): ARP ensures all destination computers on the
network have its hardware address matched to their IPs.
Internet Control Management Protocol (ICMP): ICMP is also for testing TCP/IP
networks alongside having the responsibility of reporting errors and messages of
packets being delivered.
Transport Layer
Transport layer ensures that communication between the source and the
destination computer exists and converts all information on the application layer
into packets.

Application Layer
High-protocol TCP/IP services like FTP, HTTP and SMTP are often run at
the application layer.
Network Interface
Referencing the model above, the network is the equivalent of the physical and data link
in the OSI model. This section normally refers to the hardware and software
components of the frame interchange between computers. It also indicates the link
between the host and the network.

24

2.3 SNMP
SNMP is a widely used protocol in networks for data collection and configuring of
network devices. It is a very flexible protocol that is employed for many network

services.
SNMP was designed to help manage centralized TCP/IP networks. Most network
management software employs the use of SNMP which helps transfer data from
remote or client locations to a log on the central server.
SNMP performs its functions by the use if a master/client concept where the agent is
located on the managed device and master on the managing workstation.
An SNMP managed network consists of three key components: managed devices, agents,
and network-management systems (NMSs).
A managed device is a network node that contains an SNMP agent and that resides on a
managed network.
Managed devices collect and store management information and make this information
available to NMSs using SNMP.
Managed devices, sometimes called network elements, can be routers and access servers,
switches and bridges, hubs, computer hosts, or printers.
An agent is a network management software module that resides in a managed device.
An agent has local knowledge of management information and translates that information
into a form compatible with SNMP.
An NMS executes applications that monitor and control managed devices.

25
2.4 NETWORK MANAGEMENT
Network management can be described as a list of activities performed on a network to ensure
smooth and efficient running with minimal down time. The amount of down time experienced

by a network determines the reliability of the network. These activities include the OSI
management functions listed below:
Configuration Management
Performance Management
Accounting Management

2.4.1 CLIENT SERVER PARADIGM

Is a form of computer network paradigm that involves request and dispatch of information
between the client and the server, THE INITIAL CONTACT IS ALWAYS the client to server
in form of information or service request. The server in this case has all the resources and based
on the kind of resource request by the clients the server honors it and execute as the client has
not got the resource to do so. Lange and oshima (1998) described the client as not intelligent
enough to execute this requests since the server has all the 'know- how', processor and
resources.
These highlight the limitation the paradigm office when put to use though it is still supported
by a couple of technologies. Although there are several ways to achieve process-to-process
communication, the most common one is through the client/server paradigm.
A process on the local host, called a client, needs services from a process usually on the
remote host, called a server.
Both processes (client and server) have the same name. For example, to get the day and
time from a remote machine, we need a Daytime client process running on the local host
and a Daytime server process running on a remote machine.

26